H1-202 Recap: Mapbox Pays Out Nearly $65,000 in One Day

Cherry blossoms, melting snow, sunshine and a whole lot of hacking.Twenty-seven hackers representing nine countries gathered at the U.S. capital over the weekend for HackerOne’s first live hacking event in Washington, D.C. with local location data and mapping platform, Mapbox. The weekend consisted of a community day with Virginia-based high schoolers and a live hacking day — nine hours of hacking at Mapbox HQ, resulting in over 100 bugs reported and nearly $65,000 paid in rewards.

Hackers look towards to White House during a walking tour of Washington, D.C. on Friday, March 23, 2018

DAY 1: HACKERS ON THE HILL
For many, it was a first time visiting Washington DC. We took to the streets for a wonderful tour through the sights at the National Mall: Lincoln Memorial, Washington Monument, Vietnam War Memorial, and ending up at the US Capitol building for our Hackers on the Hill tour.  

Our special tour guide for “Hackers on the Hill” was Nick from Congressman Jim Langevin’s Office. What a treat! And a special thanks to Beau Woods for helping organize!

Festivities continued into the evening as we gathered at Momofuku restaurant for drinks and networking, (the beet salad was scrumptious, as was the soju cocktail). 

DAY 2: COMMUNITY DAY
Saturday consisted of a community day with CodeVA. CodeVA is a non-profit that partners with schools, parents, and communities to bring equitable computer science education to all of Virginia's students. HackerOne and Mapbox partnered to host 30 CodeVA students for a day of panel discussions with hackers, career advice from women in security, an introduction to hacking for good and a hands on CTF workshop.

Hacker Jack Cable (cablej) helps Virginia high schools students during the CTF portion of the community day with CodeVA

DAY 3: LIVE HACKING MAPBOX
Nine hours, 103 vulnerabilities reported and $64,925 paid to hackers. Mapbox HQ was abuzz with collaboration and creativity as 27 hackers from Sweden, USA, India, Uruguay, Belgium, France, Canada, Netherlands and Portugal gave Mapbox their best shot. As part of its ongoing bug bounty program, Mapbox includes 724 open source and public GitHub repositories in its scope. 

To reward the hacker for contributing to the security of open source, Mapbox decided to offer a special award for the day’s “Open Source Hero”.

Award winners for the day:

• The Exalted (most rep earned) went to intidc
• The Assassin (highest signal) went to cache-money
• The Exterminator (best bug) went to fransrosen
• The Pioneer - Open Source Hero (most open source bugs) went to errbysam
• The Most Valuable Hacker (MVH) went to 0xacb, a Portuguese hacker who was the winner of the h1-202 CTF! It is fantastic that for the first time ever, a CTF winner won the MVH.

“Working with hackers live and in-person was incredibly valuable for our security and product teams,” said Alexandra Ulsh, Information Security Engineer and bug bounty program lead at Mapbox. “We had conversations with every hacker participating and were blown away by the unique skill sets and expertise of each hacker. The live hacking event not only helped us build long-term relationships with 27 of the world's best security researchers, it also helped test and improve our internal processes for fixing vulnerabilities quickly, learning from those reports and developing the most secure products possible.”

André Baptista (0xACB) proudly holds up the H1-202 MVH championship belt

Since launching its private bug bounty program over three years ago and switching it public in 2016, Mapbox has worked with 76 hackers from all over the world to resolve 150 vulnerabilities and pay out over $80,000 in rewards. What a day! To learn more about Mapbox’s ongoing bug bounty program, visit https://hackerone.com/mapbox. 

Running live-hacking events around the globe are a team effort, we’re so fortunate for this community of caring people coming together to make the internet safer. 
 

Participating hackers, Mapbox and HackerOne team members pose at the end of H1-202

Happy hacking to all. And get ready, it’s only 3 days until #h1-415 in San Francisco. 

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.